Authentication system and authentication method capable of realizing single-sign-on function used for application program on image forming apparatus

ABSTRACT

The management server authenticates the user on the basis of the authentication request using the user name and the password received from the image forming apparatus, generates user session information obtained in a process of the user authentication process, stores the user session information in association with the IP address of the image forming apparatus in the third memory, and supplies the user session information in response to an inquiry using the IP address from the third party server. The third party server receives the authentication request using the IP address from the image forming apparatus, makes an inquiry to the management server by using the IP address, and authenticates the user on the basis of the returned user session information.

CROSS REFERENCE TO RELATED APPLICATION

This application claims the benefit of Japanese Priority Patent Application JP 2016-183774 filed Sep. 21, 2016, the entire contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION 1. Field of the Invention

The present disclosure relates to single-sign-on to a plurality of application programs that an image forming apparatus (MFP, Multifunction Peripheral) executes.

2. Description of Related Art

In the past, in order to use a plurality of application services, it is necessary to log in to the respective application services, which is troublesome.

In view of this, there is known a single-sign-on method that enables use of a plurality of application services with single login.

However, a single-sign-on method for a typical web application server is complicated since there is no use environment limitation.

It is desirable to provide an authentication system and an authentication method.

SUMMARY OF THE INVENTION

According to an embodiment of the present disclosure, there is provided an authentication system, including:

a management server;

an image forming apparatus; and

a third party server, in which

the image forming apparatus includes

-   -   a first communication device capable of communicating via a         network,     -   an operation device,     -   a display device,     -   a first memory that stores a management client program that         operates in cooperation with the management server,     -   a second memory that stores a third party client program that         operates in cooperation with the third party server, and     -   a first processor that executes the management client program         and the third party client program,

when the first processor executes the management client program, the first processor

-   -   receives login of a user,     -   sends an authentication request to the management server by         using the received user name and password, and     -   starts up the third party client program on the basis of an         instruction input by a user via the operation device,

when the first processor executes the third party client program, the first processor

-   -   obtains an IP address of the image forming apparatus, the third         party client program being running on the image forming         apparatus, and     -   sends the IP address and an authentication request together to         the third party server,

the management server includes

-   -   a second communication device capable of communicating via the         network,     -   a third memory,     -   a fourth memory that stores a management server program, and     -   a second processor that executes the management server program,

when the second processor executes the management server program, the second processor

-   -   authenticates the user on the basis of the authentication         request using the user name and the password received from the         image forming apparatus,     -   generates user session information obtained in a process of the         user authentication process,     -   stores the user session information in association with the IP         address of the image forming apparatus in the third memory, and     -   supplies the user session information in response to an inquiry         using the IP address from the third party server,

the third party server includes

-   -   a third communication device capable of communicating via the         network,     -   a fifth memory that stores a third party server program, and     -   a third processor that executes the third party server program,         and

when the third processor executes the third party server program, the third processor

-   -   receives the authentication request using the IP address from         the image forming apparatus,     -   makes an inquiry to the management server by using the IP         address, and     -   authenticates the user on the basis of the returned user session         information.

According to an embodiment of the present disclosure, there is provided an authentication method of an authentication system including a management server, an image forming apparatus, and a third party server connected to a network, the authentication method including:

via the image forming apparatus, receiving login of a user;

via the image forming apparatus, sending an authentication request to the management server by using the received user name and password;

via the management server, authenticating the user on the basis of the authentication request using the user name and the password received from the image forming apparatus, generating user session information obtained in a process of the user authentication process, and storing the user session information in association with the IP address of the image forming apparatus in the memory device;

via the image forming apparatus, starting up the third party client program on the basis of an instruction input by a user via the operation device;

when executing the third party client program, obtaining an IP address of the image forming apparatus, the third party client program being running on the image forming apparatus;

when executing the third party client program, sending the IP address and an authentication request together to the third party server;

via the third party server, receiving the authentication request using the IP address from the image forming apparatus, and making an inquiry to the management server by using the IP address;

via the management server, supplying the user session information in response to an inquiry using the IP address from the third party server; and

via the third party server, authenticating the user on the basis of the returned user session information.

These and other objects, features and advantages of the present disclosure will become more apparent in light of the following detailed description of best mode embodiments thereof, as illustrated in the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a schematic diagram of an entire configuration of the authentication system 1 according to an embodiment of the present disclosure;

FIG. 2 shows a schematic diagram of a flow of the process of the authentication system 1 according to the embodiment of the present disclosure;

FIG. 3 shows a schematic diagram of a block configuration of the management server 10;

FIG. 4 shows a schematic diagram of a block configuration of the image forming apparatus 20;

FIG. 5 shows a schematic diagram of a block configuration of the third party server 30; and

FIG. 6 shows a flow chart of the process of the authentication system 1.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinafter, an embodiment of the present disclosure will be described with reference to the drawings.

Firstly, an entire configuration of an authentication system according to an embodiment will be described. FIG. 1 shows a schematic diagram of an entire configuration of the authentication system 1 according to an embodiment of the present disclosure.

The authentication system 1 includes the management server 10, the image forming apparatus 20, and the third party server 30 connected to a LAN (Local Area Network).

A plurality of application programs, which are not pre-installed, are installed in the image forming apparatus 20 to be used.

In order to use those application programs, firstly, a user has to log in to the management client program 21 a, i.e., one of the application programs, by using an operation panel of the image forming apparatus 20.

The management client program 21 a uses the management server 10 in order to authenticate a user when the user logs in.

The third party client program 21 b is one of the application programs and is supplied from a third party. The third party client program 21 b executes specific process in cooperation with the third party server 30 connected to the LAN.

Where a single-sign-on function is not used, a user logs in to the management client program 21 a by using a user name, a password, and the like, then starts up the third party client program 21 b by using a displayed operation window, and has to input a user name, a password, and the like again in the third party client program 21 b to log in to the third party client program 21 b.

According to the authentication system 1 of the embodiment of the present disclosure, once a user logs in to the management client program 21 a, when newly starting up another third party client program 21 b, the login procedure to the third party client program 21 b may be omitted.

The entire configuration of the authentication system 1 according to the embodiment of the present disclosure has been described above.

Next, a schematic flow of the process of the authentication system 1 according to the embodiment of the present disclosure will be described. FIG. 2 shows a schematic diagram of a flow of the process of the authentication system 1 according to the embodiment of the present disclosure.

(1) Firstly, a user logs in to the management client program 21 a by using an operation panel of the image forming apparatus 20.

(2) Next, the management client program 21 a sends an authentication request to the management server 10 by using a user name and a password input by the user.

(3) Next, the management server 10 authenticates the user, and returns authentication-OK when there is no problem. Up to the present process, login of the user to the management client program 21 a is completed.

(4) The management server 10 stores the IP address of the image forming apparatus 20 and user session information generated in the user authentication process for single-sign-on.

(5) Next, in response to an instruction input by the user, the management client program 21 a starts up the third party client program 21 b.

(6) Next, the third party client program 21 b obtains the IP address of the image forming apparatus 20, the third party client program 21 b being running on the image forming apparatus 20.

(7) Next, the third party client program 21 b sends the obtained IP address and an authentication request together to the third party server 30.

(8) Next, the third party server 30 makes an inquiry to the management server by using the received IP address.

(9) Next, the management server 10 selects user session information (including user name) corresponding to the IP address used for the inquiry, and returns the user session information to the third party server 30.

(10) Next, the third party server 30 authenticates the user by using the received user session information, and returns authentication-OK to the third party client program 21 b.

As described above, only one user is capable of logging in to the image forming apparatus 20 of the authentication system 1. Therefore the user session information of the user logging in to the management client program 21 a corresponds to the IP address of the image forming apparatus 20 one-to-one.

As a result, according to the single-sign-on function for the third party client program 21 b, it is possible to search, by using the IP address of the image forming apparatus 20 as a key, the plurality of user session information items stored in the management server 10 for corresponding user session information, and to obtain the corresponding user session information.

The schematic flow of the process of the authentication system 1 according to the embodiment of the present disclosure has been described above.

Next, a configuration of the management server 10 will be described. The management server 10 may include dedicated hardware and software, or may be a general-purpose computer. FIG. 3 shows a schematic diagram of a block configuration of the management server 10.

As shown in FIG. 3, the management server 10 includes the CPU (Central Processing Unit) 11, the ROM (Read Only Memory) 12, the RAM (Random Access Memory) 13, the operation input devices 14, the communication device 15 (second communication device), the display device 16, and the memory device 17, which are connected to each other via the bus 18.

The ROM 12 stores a plurality of programs such as firmware and data used to execute various kinds of process. The RAM 13 is used as a work area for the CPU 11, and temporarily stores the OS (Operating System), various applications being executed, and various data being processed.

The memory device 17 is, for example, an HDD (Hard Disk Drive), a flash memory, or another nonvolatile memory. The memory device 17 (third memory) stores the OS, various applications, various data, the user session information 17 a, and the IP address 17 b.

The user session information 17 a is information obtained when the management client program 21 a authenticates a user logging in, and includes a user name and the like.

The IP address 17 b is an IP address of the image forming apparatus 20 with which the user session is established when a user logs in by using the management client program 21 a.

The communication device 15 is connected to the network in order to send and receive information to and from the image forming apparatus 20 and the third party server 30.

In response to a command supplied from the operation input devices 14, the CPU 11 loads a corresponding program in the RAM 13 out of a plurality of programs stored in the ROM 12 (fourth memory) and the memory device 17 (fourth memory), and executes the loaded program to appropriately control the display device 16 and the memory device 17.

The operation input devices 14 include, for example, a pointing device such as a mouse, a keyboard, a touch panel, and other operation devices.

The display device 16 is, for example, a liquid crystal display, an EL (Electro-Luminescence) display, a plasma display, or the like.

The CPU 11 (second processor) executes the management server program to thereby realize functional blocks, which will be described next.

The CPU 11 of the management server 10 realizes functional blocks including the first authentication unit 11 a and the user session information supply unit 11 b.

The first authentication unit 11 a authenticates a user logging in to the image forming apparatus 20 in cooperation with the management client program 21 a of the image forming apparatus 20.

More specifically, the first authentication unit 11 a authenticates a user on the basis of an authentication request using a user name and a password received from the first authentication request unit 21 d of the image forming apparatus 20. In addition, the first authentication unit 11 a generates the user session information 17 a, and stores the user session information 17 a and the IP address 17 b of the image forming apparatus 20 in the memory device 17.

In response to an inquiry using an IP address from the third party server 30, the user session information supply unit 11 b supplies the user session information 17 a obtained in a process of the user authentication process executed by the first authentication unit 11 a.

The configuration of the management server 10 has been described above.

Next, the configuration of the image forming apparatus 20 will be described. FIG. 4 shows a schematic diagram of a block configuration of the image forming apparatus 20.

The image forming apparatus 20 includes the controller unit 21. The controller unit 21 includes a CPU, a RAM, a ROM, a dedicated hardware circuit, and the like, and controls overall operations of the image forming apparatus 20.

The controller unit 21 is connected to the image scanner 22, the image processor 23, the image memory 24, the image forming device 25, the operation devices 26, the display device 26 a, the facsimile communication device 27, the communication device 28 (first communication device), the memory device 29, and the like. The controller unit 21 controls the connected devices to operate, and sends and receives signals or data to and from the devices.

In response to job execution instructions input by a user via the operation device 26, a PC connected to the network, or the like, the controller unit 21 controls driving and processing of the mechanisms necessary to execute operational control of the respective functions such as a scanner function, a print function, a copy function, and a facsimile sending and receiving function.

Further, the controller unit 21 includes the management client program 21 a and the third party client program 21 b. The CPU loads the programs stored in the ROM in the RAM and executes the programs to thereby realize the functional blocks including the management client program 21 a and the third party client program 21 b.

The CPU (first processor) of the controller unit 21 loads the management client program 21 a stored in the ROM or the like (first memory) in the RAM, and executes the management client program 21 a to thereby operate as the login reception unit 21 c, the first authentication request unit 21 d, and the program start-up unit 21 e. The management client program 21 a is an application program that authenticates a user logging in by using the operation device 26 in cooperation with the management server 10.

The login reception unit 21 c receives login of a user via the operation device 26.

The first authentication request unit 21 d sends an authentication request to the first authentication unit 11 a of the management server 10 by using a user name and a password received from the login reception unit 21 c.

The program start-up unit 21 e starts up the installed third party client program 21 b in response to an instruction input by a user via the operation device 26.

The CPU (first processor) of the controller unit 21 loads the third party client program 21 b stored in the ROM or the like (second memory, the first memory being the same as or different from the second memory) in the RAM, and executes the third party client program 21 b to thereby operate as the IP address obtaining unit 21 f and the second authentication request unit 21 g. The third party client program 21 b is an application program supplied from a third party, and operates in cooperation with the third party server 30.

The IP address obtaining unit 21 f obtains the IP address of the image forming apparatus 20, the third party client program 21 b being running on the image forming apparatus 20.

The second authentication request unit 21 g sends the IP address obtained by the IP address obtaining unit 21 f and an authentication request together to the third party server 30.

The image scanner 22 captures an image from a document.

The image processor 23 as necessary processes an image of image data of the image captured by the image scanner 22. For example, the image processor 23 corrects shading of an image captured by the image scanner 22 to improve the quality of the formed image.

The image memory 24 has an area for temporarily storing document image data captured by the image scanner 22, and an area for temporarily storing data to be printed by the image forming device 25.

The image forming device 25 forms an image of image data captured by the image scanner 22, for example.

The operation devices 26 include a touch panel unit and an operation key unit that receive, from a user, instructions of various operations and process that the image forming apparatus 20 can execute. The touch panel unit includes the display device 26 a such as an LCD (Liquid Crystal Display) with a touch panel.

The facsimile communication device 27 includes an encoder/decoder, a modulator/demodulator, and an NCU (Network Control Unit) (not shown), and sends facsimile via a public telephone network.

The communication device 28 includes a communication module such as a LAN board. The communication device 28 sends and receives various data to and from apparatuses (PCs, etc.) such as the management server 10 and the third party server 30 via the LAN and the like connected to the communication device 28.

The memory device 29 stores document images captured by the image scanner 22 and other data. The memory device 29 is a large volume memory device such as an HDD.

The configuration of the image forming apparatus 20 has been described above.

Next, a configuration of the third party server 30 will be described. The third party server 30 may include dedicated hardware and software, or may be a general-purpose computer. FIG. 5 shows a schematic diagram of a block configuration of the third party server 30.

As shown in FIG. 5, the third party server 30 includes the CPU 31, the ROM 32, the RAM 33, the operation input devices 34, the communication device 35 (third communication device), the display device 36, and the memory device 37, which are connected to each other via the bus 38.

The ROM 32 stores a plurality of programs such as firmware and data used to execute various kinds of process. The RAM 33 is used as a work area for the CPU 31, and temporarily stores the OS, various applications being executed, and various data being processed.

The memory device 37 is, for example, an HDD, a flash memory, or another nonvolatile memory. The memory device 37 stores the OS, various applications, and various data.

The communication device 35 is connected to the network in order to send and receive information to and from the image forming apparatus 20 and the management server 10.

In response to a command supplied from the operation input devices 34, the CPU 31 loads a corresponding program in the RAM 33 out of a plurality of programs stored in the ROM 32 (fifth memory) and the memory device 37 (fifth memory), and executes the loaded program to appropriately control the display device 36 and the memory device 37.

The operation input devices 34 include, for example, a pointing device such as a mouse, a keyboard, a touch panel, and other operation devices.

The display device 36 is, for example, a liquid crystal display, an EL display, a plasma display, or the like.

The CPU 31 (third processor) executes the third party server program to thereby realize functional blocks, which will be described next.

The CPU 31 of the third party server 30 realizes a functional block, i.e., the second authentication unit 31 a.

The second authentication unit 31 a realizes the single-sign-on function for a user logging in to the image forming apparatus 20 in cooperation with the third party client program 21 b of the image forming apparatus 20.

More specifically, the second authentication unit 31 a receives an authentication request using an IP address from the second authentication request unit 21 g of the image forming apparatus 20. In addition, the second authentication unit 31 a makes an inquiry to the user session information supply unit 11 b of the management server 10 by using the IP address. The second authentication unit 31 a authenticates a user on the basis of returned user session information.

The configuration of the third party server 30 has been described above.

Next, a detailed flow of the process of the authentication system 1 will be described. FIG. 6 shows a flow chart of the process of the authentication system 1.

Firstly, the login reception unit 21 c receives login of a user via the operation device 26 (Step S1).

Next, the first authentication request unit 21 d sends a user name and a password input by the user and an authentication request together to the first authentication unit 11 a of the management server 10 (Step S2).

Next, the first authentication unit 11 a authenticates the user by using the received user name and password. Where the first authentication unit 11 a succeeds in authentication, the first authentication unit 11 a returns an authentication-OK message to the first authentication request unit 21 d (Step S3).

Where the first authentication unit 11 a succeeds in authentication, the first authentication unit 11 a stores the IP address 17 b of the image forming apparatus 20, which sent the authentication request, and the user session information 17 a obtained in a process of authentication in the memory device 17 (Step S4).

Next, the program start-up unit 21 e starts up the third party client program 21 b on the basis of an instruction input by the user (Step S5).

Next, the IP address obtaining unit 21 f of the third party client program 21 b obtains the IP address of the image forming apparatus 20, the third party client program 21 b being running on the image forming apparatus 20 (Step S6).

Next, the second authentication request unit 21 g sends the obtained IP address and an authentication request together to the second authentication unit 31 a of the third party server 30 (Step S7).

Next, the second authentication unit 31 a makes an inquiry to the user session information supply unit 11 b of the management server 10 by using the received IP address (Step S8).

Next, the user session information supply unit 11 b obtains the user session information 17 a corresponding to the received IP address from the memory device 17, and returns the user session information 17 a to the second authentication unit 31 a (Step S9).

Next, the second authentication unit 31 a authenticates the user by using the returned user session information 17 a. Where the second authentication unit 31 a succeeds in authentication, the second authentication unit 31 a returns an authentication-OK message to the second authentication request unit 21 g (Step S10).

The detailed flow of the process of the authentication system 1 has been described above.

As described above, according to the present embodiment, the authentication system 1 includes the management server 10, the image forming apparatus 20, and the third party server 30 connected to a network. The image forming apparatus 20 includes the first communication device 28 capable of communicating via the network, the operation devices 26, the display device 26 a, the management client program 21 a that operates in cooperation with the management server 10, and the third party client program 21 b that operates in cooperation with the third party server 30. The management client program 21 a includes the login reception unit 21 c, the first authentication request unit 21 d, and the program start-up unit 21 e. The login reception unit 21 c receives login of a user. The first authentication request unit 21 d sends an authentication request to the management server 10 by using a user name and a password received from the login reception unit 21 c. The program start-up unit 21 e starts up the third party client program 21 b on the basis of an instruction input by a user via the operation device 26. The third party client program 21 b includes the IP address obtaining unit 21 f and the second authentication request unit 21 g. The IP address obtaining unit 21 f obtains the IP address 17 b of the image forming apparatus 20, the third party client program 21 b being running on the image forming apparatus 20. The second authentication request unit 21 g sends the IP address 17 b obtained by the IP address obtaining unit 21 f and an authentication request together to the third party server 30. The management server 10 includes the second communication device 15 capable of communicating via the network, the memory device 17, the first authentication unit 11 a, and the user session information supply unit 11 b. The first authentication unit 11 a authenticates the user on the basis of the authentication request using the user name and the password received from the first authentication request unit 21 d of the image forming apparatus 20, generates the user session information 17 a obtained in a process of the user authentication process, and stores the user session information 17 a in association with the IP address 17 b of the image forming apparatus 20 in the memory device 17. The user session information supply unit 11 b supplies the user session information 17 a in response to an inquiry using the IP address 17 b from the third party server 30. The third party server 30 includes the third communication device 35 capable of communicating via the network, and the second authentication unit 31 a. The second authentication unit 31 a receives the authentication request using the IP address 17 b from the second authentication request unit 21 g of the image forming apparatus 20, makes an inquiry to the user session information supply unit 11 b of the management server 10 by using the IP address 17 b, and authenticates the user on the basis of the returned user session information 17 a.

Therefore it is possible to realize a simple single-sign-on function used for application programs running on an image forming apparatus.

It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and alterations may occur depending on design requirements and other factors insofar as they are within the scope of the appended claims or the equivalents thereof. 

What is claimed is:
 1. An authentication system, comprising: a management server; an image forming apparatus; and a third party server, wherein the image forming apparatus includes a first communication device capable of communicating via a network, an operation device, a display device, a first memory that stores a management client program that operates in cooperation with the management server, a second memory that stores a third party client program that operates in cooperation with the third party server, and a first processor that executes the management client program and the third party client program, when the first processor executes the management client program, the first processor receives login of a user, sends an authentication request to the management server by using the received user name and password, and starts up the third party client program on the basis of an instruction input by a user via the operation device, when the first processor executes the third party client program, the first processor obtains an IP address of the image forming apparatus, the third party client program being running on the image forming apparatus, and sends the IP address and an authentication request together to the third party server, the management server includes a second communication device capable of communicating via the network, a third memory, a fourth memory that stores a management server program, and a second processor that executes the management server program, when the second processor executes the management server program, the second processor authenticates the user on the basis of the authentication request using the user name and the password received from the image forming apparatus, generates user session information obtained in a process of the user authentication process, stores the user session information in association with the IP address of the image forming apparatus in the third memory, and supplies the user session information in response to an inquiry using the IP address from the third party server, the third party server includes a third communication device capable of communicating via the network, a fifth memory that stores a third party server program, and a third processor that executes the third party server program, and when the third processor executes the third party server program, the third processor receives the authentication request using the IP address from the image forming apparatus, makes an inquiry to the management server by using the IP address, and authenticates the user on the basis of the returned user session information.
 2. The authentication system according to claim 1, wherein one user logs in to the management client program at a time, and the user session information of the user logging in to the management client program corresponds to the IP address of the image forming apparatus one-to-one.
 3. The authentication system according to claim 2, wherein the third memory of the management server stores a plurality of user session information items, and when the second processor executes the management server program, the second processor searches, by using the IP address from the third party server as a key, the plurality of user session information items stored in the third memory for corresponding user session information, and obtains the corresponding user session information.
 4. An authentication method of an authentication system including a management server, an image forming apparatus, and a third party server connected to a network, the authentication method comprising: via the image forming apparatus, receiving login of a user; via the image forming apparatus, sending an authentication request to the management server by using the received user name and password; via the management server, authenticating the user on the basis of the authentication request using the user name and the password received from the image forming apparatus, generating user session information obtained in a process of the user authentication process, and storing the user session information in association with the IP address of the image forming apparatus in the memory device; via the image forming apparatus, starting up the third party client program on the basis of an instruction input by a user via the operation device; when executing the third party client program, obtaining an IP address of the image forming apparatus, the third party client program being running on the image forming apparatus; when executing the third party client program, sending the IP address and an authentication request together to the third party server; via the third party server, receiving the authentication request using the IP address from the image forming apparatus, and making an inquiry to the management server by using the IP address; via the management server, supplying the user session information in response to an inquiry using the IP address from the third party server; and via the third party server, authenticating the user on the basis of the returned user session information. 